- AWS Code Sample demonstrates how to decrypt an encrypted data key, and then immediately re-encrypt the data key under a different customer master key (CMK).

package aws.example.kms; import; import; import; import java.nio.ByteBuffer; public class ReencryptDataKey { public static void main(String[] args) { AWSKMS kmsClient = AWSKMSClientBuilder.standard().build(); // Re-encrypt a data key ByteBuffer sourceCiphertextBlob = ByteBuffer.wrap(new byte[]{Byte.parseByte("Place your ciphertext here")}); // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String destinationKeyId = "1234abcd-12ab-34cd-56ef-1234567890ab"; ReEncryptRequest req = new ReEncryptRequest(); req.setCiphertextBlob(sourceCiphertextBlob); req.setDestinationKeyId(destinationKeyId); ByteBuffer destinationCipherTextBlob = kmsClient.reEncrypt(req).getCiphertextBlob(); } }

Sample Details

Service: kms

Last tested: 2019-04-08

Author: AWS

Type: full-example